Academics describe scenarios that put the use of blockchain technology at risk
Network security specialists from the International Institute of Cyber Security reported a couple of weeks ago an unusual incident in Coinbase, a cryptocurrency exchange platform: an attack on its blockchain.
In the attack, a hacker somehow managed to take control of more than half of the network’s processing power, using it to rewrite the transaction history in the blockchain. Thanks to this it was possible to spend the same cryptocurrency more than once (a fact known as “double spending” in the cryptocurrency community).
According to specialists from the MIT Technology review, since 2017 hackers have stolen nearly 2 billion dollars in virtual assets, mainly attacking platforms such as Coinbase; in addition, these are only known incidents, undisclosed breaches have not been considered ).
The blockchain are especially attractive for groups of malicious hackers, mainly because, unlike traditional financial systems, transactions carried out in this way cannot be reversed. In addition, although blockchain technology has unique security features, it also suffers from unique security vulnerabilities; although developers argue that blockchain technology is “impossible to hack,” they should reconsider their claim.
Hacking a blockchain
A blockchain is a cryptographic database maintained by a computer network, each of which stores a copy of the most recently updated version; that is what makes it so attractive for many organizations, mainly financial ones. Even the New York Stock Exchange will be launching its own blockchain implementation.
Recently, those in charge of Zcash cryptocurrency, which allows users to perform private transactions through complex mathematical processes, revealed the correction of “a small cryptographic flaw” incorporated into the Zcash protocol. But protocol is not the only thing that has to be secured; to swap cryptocurrency on your own or run a node you must run a software client, which can also contain vulnerabilities.
Still, most recent hacking incidents did not present themselves in the blockchain, but in exchange platforms, websites where users can buy, exchange, or store their virtual assets.
During the cryptomining process, nodes spend enormous processing power resources to demonstrate that they are sufficiently reliable to add information about new transactions to the database. If a miner somehow manages to take control of most of the network’s mining capacity, it can defraud other users by sending them payments and then creating an alternative version of the blockchain in which the transaction was never performed (this version is known as “fork”).
The attacker, who controls most of the mining power, can make the “fork” the authorized version of the blockchain, so they can use the same cryptocurrency again.
Carrying out this type of attack against a popular blockchain is very expensive; as mention by specialists in network security. According to experts, renting enough processing resources to attack the Bitcoin blockchain would cost about $250k USD an hour. However, the situation changes when it comes to less popular cryptocurrencies. Considering that there are currently more than 1 500 virtual assets, this becomes highly probable; moreover, the fall in the prices of these assets represents less protection for the blockchain.
Smart contracts attacks
A smart contract is a computer program that runs on a blockchain network used to automate the circulation of cryptocurrency, according to its own rules.
The decentralized autonomous organizations (DAO) were created in 2016 using the Ethereum blockchain system. Shortly thereafter, an attacker stole over $60M USD in cryptocurrency, exploiting an error in a smart contract that ruled the DAO. This vulnerability allowed the hacker to continue soliciting money from the accounts without the system registering that the transaction had already been performed.
In traditional computer systems, vulnerabilities can be corrected with update patches, although this does not apply to blockchain technology, as transactions in a string cannot be reversed.
There are some alternative solutions. Although smart contracts cannot be patched, adding an additional smart contract might work as a sort of update. Developers can also implement central switches on a network, so they can stop any process if they detect anomalous activity, although, again, network security specialists emphasize that this does not reverse the cryptocurrency theft once the process is completed.
The only way to recover the money is to rewrite the transaction history, return to the point in the blockchain before the attack, create a new link for a new blockchain and have everyone on the network agree to use that specific point. This was the case of Ethereum; many users accepted the transition to another blockchain, while the remaining developed Ethereum Classic.
Thousands of smart contracts could contain vulnerabilities, according to recent research. Given the nature of the blockchain, if there is an error in a smart contract, the hackers will surely find it.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.